Apple fixes Exchange (but not passcode unlock) bug with iOS 6.1.2

The update fixes only one of the two high-profile bugs from iOS 6.1.

Enlarge/ iOS 6.1.2 brings a microscopic but important list of changes.

Andrew Cunningham

Apple has released the promised iOS 6.1.2 update today to fix the Exchange bugs that have been plaguing users since the release of iOS 6.1. The bug caused iOS devices connected to Exchange servers to over-poll calendars and mailboxes, leading Microsoft to recommend that administrators block or throttle iOS devices until the bug was fixed.

The release notes only mention the Exchange issues, but we wanted to check to see if the passcode unlock bug from iOS 6.1 had also been fixed. We tried the convoluted unlock exploit on our own iPhone 4S and were able to unlock the screen successfully under iOS 6.1.1, and the same process once again unlocked the phone in iOS 6.1.2, giving us access to the phone dialer app and all of the information contained within. Put simply: it doesn't look like this update fixes the passcode unlock bug, according to our testing.

If you're worried about your device's security, turn off the "simple passcode" feature on your phone and use a more complex, alphanumeric passcode instead—reportedly, complex passcodes are not subject to the same security flaw.Update: commenter Kosh_179 says that using a complex password also won't protect you from the exploit. In that case, we'll have to wait for Apple to fix the problem.

Users who need the update can grab it over the air or via iTunes. While iOS 6.1.1 was available only for the iPhone 4S, iOS 6.1.2 applies to all devices supported by iOS 6: the iPhones 3GS, 4, 4S, and 5; the iPad 2, iPad mini, and both Retina iPads; and the fourth and fifth-generation iPod Touches.

How could Apple have possibly not fixed this? It makes me think the underlying issue that causes it is a lot larger than even they would have guessed.

The underlying issue is giving access to hardware and software to make a call without giving access to anything else. It doesn't seem like Apple have made a completely sandboxed or otherwise independent emergency call system (I'm kind of surprised they haven't at this point, simply a new phone app that only works when doing an emergency call), they're simply allowing access to the entire phone section (which in turn can access other things).

Going by each generation of this security flaw, each time Apple is narrowing down further what can be accessed, right now it seems contacts needs to be limited. It makes sense why an emergency caller may need to access contacts (to call someone's family in an emergency), which is unlike in the past where the bug allowed access to all sorts of things that could just be restricted. I can see how that takes more work.

How could Apple have possibly not fixed this? It makes me think the underlying issue that causes it is a lot larger than even they would have guessed.

There were two major bugs. One of them was actively resulting in corporations blocking iPhones from their servers, thereby diminishing the Experience of owning an IPhone. The other one is a security hole that requires physical access to the device. They probably rushed the fix out for Exchange and are still working on (and testing) the security fix.

Going by each generation of this security flaw, each time Apple is narrowing down further what can be accessed, right now it seems contacts needs to be limited. It makes sense why an emergency caller may need to access contacts (to call someone's family in an emergency), which is unlike in the past where the bug allowed access to all sorts of things that could just be restricted. I can see how that takes more work.

I wholeheartedly agree. I am at a loss for why Apple has not allowed certain contacts to be designated as emergency contacts. It could be as simple as adding a contact to one's favorite contacts list.

So the iPad, which was released almost a year after the 3gs can't run iOS 6 but the 3gs can?

WOW

I presume that you've done extensive research into why this is the case before commenting? I'm sure that you are well aware that the iPad one, released 9 months after the iPhone 3Gs, has the same amount of RAM driving a screen that is 4 times the size? Incidentally, you have stated numerous time how much you disdain Apple, so why do you bother reading and commenting on the articles? Is it really just to troll?

Going by each generation of this security flaw, each time Apple is narrowing down further what can be accessed, right now it seems contacts needs to be limited. It makes sense why an emergency caller may need to access contacts (to call someone's family in an emergency), which is unlike in the past where the bug allowed access to all sorts of things that could just be restricted. I can see how that takes more work.

I wholeheartedly agree. I am at a loss for why Apple has not allowed certain contacts to be designated as emergency contacts. It could be as simple as adding a contact to one's favorite contacts list.

I think the emergency call is *only* for 911. Essentially for strangers who find a random phone in the middle of a true emergency to be able to make use of it. This "emergency contacts" thing doesn't sound like really the same use case. Maybe it's my misunderstanding though.

This is flat-out a bug. Apple's going to fix it, but it probably takes time, because the bug is activated only during the shutdown process.

Nope, wasn't aware of those things. That's really strange to me. I mean, didn't the iphone4 literally come out a few months after the iPad? So the iPad was literally designed to be a crippled product from a RAM standpoint?

"Crippled"? I think you misspelled "subject to a complex set of tradeoffs intended to maximize the appeal of a new category of product in the marketplace".

Perhaps you don't remember how everybody was speculating whether Apple would be able to get the iPad under $1000, and when it came out at $500 everyone was blown away, competitors canceled plans for pre-announced $600-700 vaporware tablets, etc.

I'm not suggesting 768 MB of RAM costs hundreds of dollars; I'm merely pointing out that the first version of the iPad contained necessary compromises (as evidenced by how quickly the hardware evolved over the next couple of years). I'd also point out that the iPhone is subject to a different set of design tradeoffs than the iPad.

So the result is that while the iPad 1 might be capable of having iOS 6 shoehorned onto it, Apple decided that they didn't like the resulting user experience and so declined to support that configuration, while supporting it on the iPhone 4.

Apple mobile devices are supported from when they are last sold, not from when they are first sold. The original iPad stopped selling in March 2011 (after 1 year on the market), and got updates for another year from then. The 3GS stopped selling in September 2012 (after 3 years on the market), and probably wont get iOS 7.

The way that fix description is written makes it seem like the bug was in Exchange.

Actually, yes, that is actually the case. It's a calendar exception handling process, that far as I can gleam from code experts I know, Apple was actually handling CORRECTLY, its just that doing so creates a looping condition which it continued to handle over and over. MS itself admitted thay ALSO needed to patch Exchange itself to truly fix the bug, and that anything Apple was doing would just be a "workaround" not a fix (but would stop the problem). The reason only apple seems to have this issue is that it's the only device with official Exchange access through ActiveSync that also includes calendar access that is not running an actual version of Outlook itself (which apparently ignores this error and wasn't itself handling it properly). Android and RIM don;t hit exchange excepot for mail and contacts, calendar is only supported through 3rd party apps.

I'd bet you that they haven't patched it yet. The exchange fix feels like something they are pressured to do ASAP by large corporate customers and so they would get that out as soon as possible. I'm sure they know about the passcode unlock bug quite well by now and have a team on it, but I expect that fix, which is more focused on something of interest to the masses, will be released in the same update with a jailbreak patch. That would leave jailbreakers with an unpleasant choice, a good strategic move if you assume Apple is against jailbreaking, which they are at least on the surface.

Going by each generation of this security flaw, each time Apple is narrowing down further what can be accessed, right now it seems contacts needs to be limited. It makes sense why an emergency caller may need to access contacts (to call someone's family in an emergency), which is unlike in the past where the bug allowed access to all sorts of things that could just be restricted. I can see how that takes more work.

I wholeheartedly agree. I am at a loss for why Apple has not allowed certain contacts to be designated as emergency contacts. It could be as simple as adding a contact to one's favorite contacts list.

I agree as well. Just as there are VIP contacts in email, there should be ICE (In Case of Emergency) contacts available for emergency dialing from the lock screen!

So the iPad, which was released almost a year after the 3gs can't run iOS 6 but the 3gs can?

WOW

I presume that you've done extensive research into why this is the case before commenting? I'm sure that you are well aware that the iPad one, released 9 months after the iPhone 3Gs, has the same amount of RAM driving a screen that is 4 times the size? Incidentally, you have stated numerous time how much you disdain Apple, so why do you bother reading and commenting on the articles? Is it really just to troll?

How could Apple have possibly not fixed this? It makes me think the underlying issue that causes it is a lot larger than even they would have guessed.

Probably because they have customers and enterprises pestering them for the Exchange fix. It was probably also easier to QA, etc. The passcode issue, even if not difficult to fix, likely requires more QA because of the systems impacted.

This issue has nothing to do with being able to do emergency calls (apart from it being the entry point to the unlocking). The phone app needs access to the address book and the images because it will show the name and an image for incoming calls from a known number.

To get around this, Apple will either have to store a copy of that data within the scope of the phone app and update it every time the data changes or copy the data every time the phone is locked.

First before you do anything you need to install mobilesubstrate_0.9.3996_iphoneos-arm.deb fromhttp://apt.saurik.com/debs/ , this will disable the ability to launch safemode at boot.

_COPY_

This hole can be plugged on jailbroken phones by doing 3 simple things.

1 - Always close the phone app in your cached applications(by double clicking the home button and holding a application icon for a few seconds then tapping the red minus symbol on the app you want to close.)

2 - Map the home button to sleep and the power button on short hold to play/pause track both at the lockscreen using activator version 1.6.2-2 which can be found in the Netoobuntu repo under the name "iOS6 - activator"

(note: you wont be able to use activator menus with this version if you do your springboard may crash)

You will also need to use double click from here on forward to get to the unlock screen.

3 - Make sure if you are jailbroken you have the very latest core development libraries (mainly the mobilesafety library) by updating cydia. (hit refresh on the changes tab)

Thats it!

If this helped you follow me on twitter @XIPRELAY , ill be happy to answer any questions.

ps: By the way for those of you who hate waiting for cydia to load you can double click home to stop the refresh process when first starting it up.

ShareFlag1LikeReply

XIPRELAY 6 days agoAs someone mentioned on twitter there is also a unintended easter egg in this. By doing this you also have a lockscreen glance simply by holding down the home button then letting go. )

ShareFlagLikeReply

XIPRELAY 5 days agoUPDATE: 02/15/2013

After a little research i realized that this isn't the only exploit that has been uncovered in the last few days. Unfortunately 3 other exploits similar to this (all that utilize the Power>Cancel function)(which is helpful) are in the wild. These exploits are even far more dangerous. One even allows the subject to reset the devices simple passcode alltogether.

So I tested my above workarounds against those as well and it seems atleast one of them may slip through.

To completely close the hole for all 4 exploits instead of mapping the sleep button to play/pausemap the sleep button to a home button simulation press.

This should close the gap completely while you are in a jailbroken state.

There are some drawbacks doing this however. You will:

- No longer have the ability to soft reboot or soft power down from the lockscreen.

It also has some caveats :

- Anyone attempting the exploits will trigger the system screenshot feature.Essentially leaving evidence of their attempted intrusion. Those images are timestamped by the way. )

- Activator can be used to do some other exciting things such as .. just to name a few that i particularly like - Tripple click mapped to Wifi Network settings. - Map the silent switch to do not disturb using the Do Not Disturb plugin for activator/sbsettings.The list goes on...

Obviously i can't guarantee this would protect against future exploits that don't use the Sleep>Cancel trick.But i can't say it won't help either As always remember to backup and use findmyphone.

Just checked using the OTA update (waiting on new Mac, no computer at home now) and saw it is 882 MB! Seems a wee bit large.

18.4MB for my iPhone 5 - were you running 6.1.1 before? I think Apple generally only do "previous version delta" and "combo" updates, so if you're running anything but the previous version it's effectively a full update.

Andrew Cunningham / Andrew has a B.A. in Classics from Kenyon College and has over five years of experience in IT. His work has appeared on Charge Shot!!! and AnandTech, and he records a weekly book podcast called Overdue.